Are you aware of everything that your users are accessing from your environment?

While most of the time, non-work-related Internet browsing is harmless (looking at pictures of cats, online shopping, social media, etc.) there are some instances where you could be an unknowing and unwilling participant in criminal activity. That is, when users hide that activity via the Tor network, or the Dark Net.

The Onion Router, better known as "Tor", an open source project, launched in 2002, is designed to allow a user to browse the Internet anonymously via a volunteer network of more than 5000 relays. It doesn't share your identifying information like your IP address and physical location with websites or service providers.

A user that navigate Internet using Tor, it's quite difficult to trace its activities ensuring his online privacy. There are arguably legitimate uses for this technology, such as providing Internet access in repressively regulated countries.

Tor has been a favorite target of intelligence agencies. NSA targeted the Tor users, using a zero-day vulnerability in Firefox browser, bundled with Tor, that allowed them to get the real IP address of the anonymous Tor users.

Using same techniques, FBI was also able to track the Owner of 'Freedom Hosting', the biggest service provider for sites on the encrypted Tor network, hosted many child pornography sites.

However, Mozilla has then fixed that Firefox flaw exploited by government law enforcement officials.

Moreover, Tor is often associated with illicit activity (child pornography, selling controlled substances, identity theft, money laundering, and so on). Most admins will want to prohibit their users from using the Tor network due to its association with nefarious activity.

Since the point of origin is nearly impossible to determine with conventional means, many bad actors leverage the Tor network to hide the location of Command & Control servers, machines taking ransomware payments, etc. This makes identifying these them and their malware that much harder.

Users browsing the Tor network (for illicit purposes or not) from your environment can open you up to hosting malicious/illegal content, Ransomware infection, or unknowingly participating in other malicious activity. Therefore it is also known as DeepNet or Deep Web.

The correlation directives and IDS signatures in AlienVault Unified Security Management (USM) can detect when a system is attempting to resolve a Tor domain, and allow you to take corrective action. Plus, new & updated correlation directives developed by the experts at AlienVault Labs are pushed to USM weekly, enabling detection of emerging threats.